HA passive device keeps making failed PAN-DB cloud connection

• Firewall in HA passive state
• A Recent PAN-OS upgrade or HA failover has been completed
• The passive Firewall must not make any attempt to the URL cloud (only the active performs this operation), but the connection attempt to PAN-DB cloud seen in system log of the Passive Firewall.

firewall(passive)> show log system direction equal backward
2024/03/27 07:51:16 medium   url-fil        cloud-e 0  CLOUD ELECTION: cannot elect a cloud
2024/03/27 07:51:16 high     url-fil        url-clo 0  URL cloud list is empty. Cannot initiate cloud connection.
2024/03/27 07:51:16 high     url-fil        url-clo 0  CURL ERROR: Could not resolve host: s0000.urlcloud.paloaltonetworks.com
2024/03/27 07:51:16 high     url-fil        url-dow 0  PAN-DB cloud list loading failed (ERROR:Couldn't resolve host name).
2024/03/27 07:49:15 medium   url-fil        cloud-e 0  CLOUD ELECTION: cannot elect a cloud
2024/03/27 07:49:15 high     url-fil        url-clo 0  URL cloud list is empty. Cannot initiate cloud connection.
2024/03/27 07:49:15 high     url-fil        url-dow 0  PAN-DB cloud list loading failed (ERROR:Couldn't resolve host name).

• Palo Alto Firewalls
• PAN-OS 10.2.x
• High Availability Active/Passive Setup
• PAN-DB cloud

It is recommended to upgrade the software to PAN-OS 10.2.16, 11.1.11, 11.2.6, 12.1.0 or later releases.

There is a workaround for this issue as below:

1. Restarting the devsrvr process on the HA passive device. Use the following command from CLI.

> debug software restart process device-server

2. Restarting devsrvr process non-impacting but we recommend to perform this operation during non-peak hours or during a maintenance window.